CVE-2023-30867 — SQL Injection in Software Foundation Apache Streampark

CWE-89 — SQL Injection4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

0.4%

top 39.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark Apache Streampark

Timeline

PublishedDec 15

Description

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/streampark2.0.0 — 2.1.2

▶CVEListV5apache_software_foundation/apache_streampark2.0.0 — 2.1.2

🔴Vulnerability Details

GHSA

Apache StreamPark: Authenticated system users could trigger SQL injection vulnerability↗2023-12-15

▶

CVEList

Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability↗2023-12-15

▶

OSV

Apache StreamPark: Authenticated system users could trigger SQL injection vulnerability↗2023-12-15

▶